Slave Jojn errors

Uzzi · October 11, 2023, 6:15pm

Hi, I’ve followed Problem: 96univention-samba4 fails with ctx.local_samdb.transaction_commit but I’ve alwayse error:

ERROR: incorrect instanceType part of Binary DN binary component for msDS-HasInstantiatedNCs in object CN=NTDS Settings,CN=UCS-master,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain

and

re-indexed database : (68, 'reindexing failed

these are join errors:

An operation failed during a batch mode transaction, the transaction was rolled back
Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: ‘(&(flatname=DOMAIN)(objectclass=primaryDomain))’ base: ‘cn=Primary Domains’: No such object: dsdb_search at …/…/source4/dsdb/common/util.c:5157) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
ERROR(ldb): uncaught exception - end_trans error on DC=DomainDnsZones,DC=domain,DC=intranet: An operation failed during a batch mode transaction, the transaction was rolled back

scheinig · October 12, 2023, 8:05am

Hi Uzzi,

what is the complete re-index failed output. I think you have to fix the re-index failure.

Uzzi · October 12, 2023, 12:09pm

Hi @scheinig , thank you for feedback.
this is samba-tool dbcheck --cross-ncs --fix --yes output:

Processing section "[global]"
Checking 5745 objects
ERROR: incorrect instanceType part of Binary DN binary component for msDS-HasInstantiatedNCs in object CN=NTDS Settings,CN=UCS-master,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxxxxx,DC=intranet - B:8:00000005:<GUID=626a920e-3831-4756-a079-8cca160550cd>;<RMD_ADDTIME=132125937350000000>;<RMD_CHANGETIME=132125984120000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c8a4341e-8676-4226-9e89-74b792a812be>;<RMD_LOCAL_USN=360382>;<RMD_ORIGINATING_USN=360382>;<RMD_VERSION=2>;CN=Configuration,DC=xxxxx,DC=intranet
Change DN to B:8:0000000D:<GUID=626a920e-3831-4756-a079-8cca160550cd>;<RMD_ADDTIME=132125937350000000>;<RMD_CHANGETIME=132125984120000000>;<RMD_FLAGS=1>;<RMD_INVOCID=c8a4341e-8676-4226-9e89-74b792a812be>;<RMD_LOCAL_USN=360382>;<RMD_ORIGINATING_USN=360382>;<RMD_VERSION=2>;CN=Configuration,DC=xxxxxx,DC=intranet? [YES]
Failed to fix incorrect instanceType part of Binary DN on attribute msDS-HasInstantiatedNCs : (16, 'Attribute msDS-HasInstantiatedNCs already deleted for target GUID 626a920e-3831-4756-a079-8cca160550cd')
Checked 5745 objects (1 errors)
descriptor_prepare_commit: changes: num_registrations=0
descriptor_prepare_commit: changes: num_registered=0
descriptor_prepare_commit: changes: num_toplevel=0
descriptor_prepare_commit: changes: num_processed=0
descriptor_prepare_commit: objects: num_processed=0
descriptor_prepare_commit: objects: num_skipped=0

And this is samba-tool dbcheck --reindex output:

Processing section "[global]"
Re-indexing...
re-indexed database : (68, 'reindexing failed: Entry DC=\\ mattermost,DC=xxxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxxxx,DC=intranet already exists')

scheinig · October 13, 2023, 12:58pm

Hi Uzzi,

it seems there is an other object, maybe an deleted one in samba.
Could you please check:

univention-s4search --cross-ncs --show-deleted -b DC=xxxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxxxx,DC=intranet 1.1 | grep mattermost

Best Christina

Uzzi · October 14, 2023, 7:35am

thi is output:

Processing section "[global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
dn: DC=\ mattermost,DC=xxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxxx,DC=intranet
dn: DC=\ mattermost,DC=xxxxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxxx,DC=intranet

scheinig · October 16, 2023, 12:34pm

HI Uzzi,

so you this looks like two entries in two different zones? This is not the samba object, right? So I guess this is the issue here.

I would like to compare 7check the GUID from the objects:

univention-s4search --cross-ncs DC=*mattermost objectGUID

and I would like to check the hostrecords via udm

udm dns/host_record list --filter  relativeDomainName=*mattermost

Uzzi · October 16, 2023, 12:57pm

univention-s4search --cross-ncs DC=*mattermost objectGUID;

# record 1
dn: DC=\ mattermost,DC=xxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxx,DC=intranet
objectGUID: e8b22b70-c0b6-42e3-903e-878ba70710c4

# record 2
dn: DC=\ mattermost,DC=xx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xx,DC=intranet
objectGUID: 696b66d1-ff7a-46c8-8a78-46085ea8cb36

udm dns/host_record list --filter relativeDomainName=*mattermos:

relativeDomainName=*mattermost
DN: relativeDomainName=\20mattermost,zoneName=xxxx.intranet,cn=dns,dc=xxxx,dc=intranet
  a: 172.16.6.34
  name:  mattermost
  zonettl: 3 hours

Uzzi · October 17, 2023, 2:10pm

GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
dn: DC=\ mattermost,DC=xxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxx,DC=intranet
dn: DC=\ mattermost,DC=xxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxx,DC=intranet

scheinig · October 17, 2023, 2:27pm

So these objects are the same?

dn: DC=\ mattermost,DC=xxxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxx,DC=intranet
dn: DC=\ mattermost,DC=xxx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xxx,DC=intranet

or are they different. The “xxx” vs “xxxx” is confiusing.
If there is two times the same obejct, one should be deleted, because in openLdap is only one.

Uzzi · October 17, 2023, 2:40pm

no hahahaha I’ve only write XXXX to obfuscate real domain name

GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
dn: DC=\ mattermost,DC=xx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xx,DC=intranet
dn: DC=\ mattermost,DC=xx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xx,DC=intranet

scheinig · October 20, 2023, 9:44am

okay, so it is two times in the samba database.
So I suggest to delete one entry, but I am not sure if it deletes just one, or maybe both entries. So a snapshot would be good, just in case, and /or do a backup of both files:

univention-s4search --cross-ncs ObjectGUID=e8b22b70-c0b6-42e3-903e-878ba70710c4 > mattermost1.s4-ldif
univention-s4search --cross-ncs ObjectGUID=696b66d1-ff7a-46c8-8a78-46085ea8cb36 > mattermost2.s4-ldif

And you can delete the entry like that:

ldbdel -H /var/lib/samba/private/sam.ldb --cross-ncs 'DC=\ mattermost,DC=xx.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=xx,DC=intranet'

Uzzi · October 20, 2023, 4:11pm

completed re-index OK

Now I’ve joined a new slave node

Thank you

scheinig · October 23, 2023, 1:51pm

awesome! I am happy, your problem is solved.